Subscribe

UiPath Orchestrator

The UiPath Orchestrator Guide

Release date: 14 November 2022

Automation Suite 2022.10.0 is now available.

Automation Suite robots

With Automation Suite robots, you can now run background unattended automation and utilize high density robots without having to worry about constantly provisioning new machines yourself to provide robot computational power at scale.

Add the new Automation Suite Robots machine template to folders to make sure a machine and robot are always available when unattended jobs need to run.

To use this feature, you must install the associated service when you install Automation Suite, or enable the service post-installation.

Automation Suite robots

Optimized node requirements

We have optimized the per-node requirements for our products. Hence, for large robot deployments, you now need to increase your Orchestrator HPA capacity.

 

Release date: 24 October 2022

🚧

The capabilities and fixes described in these release notes are currently available only in standalone Orchestrator.

What’s New


Classic to modern migration wizard

With the upcoming deprecation and removal of classic folders, we have created a migration wizard to assist you in transitioning your tenants from using classic folders to using modern folders.

The wizard can greatly reduce the required migration effort by recreating your existing classic folder hierarchy and resources in modern folders.

For more information about the wizard and instructions, see Migrating from classic to modern folders.
For more information about the differences between folder types, see Classic folders vs modern folders.

Known issue

After the migration, account-machine mappings are sometimes not generated, rendering you unable to run jobs.
To solve this, you can update the account-machine mappings at the folder level, selecting the desired option for your particular scenario:

  • Inherit from tenant applies any tenant mappings to this particular folder.
  • Specific account-machine mappings for this folder restricts the mapping to the account you select from the list.

New Admin experience

Host and organization administrators, we have big news for you: The Administration pages have been redone in a new style!

998998

Where are my settings?

Not to worry. We have left the functionality as you know it. It might live in a different place, but we assure you, it's all still there and your settings are unchanged.

Change is hard

That's why we have included an option that lets you switch back to the old Admin experience.

997997

We understand you might have gotten attached to the old interface and might need to switch back because don't have time to figure out the new interface.
But you should know that this option is only available for a limited time. In the future, we plan to remove the old experience completely.

 

Security settings interface changes

We have also improved the user interface in the Security Settings pages of the administration portals. Again, functionally, the existing features remain the same. But what we changed is the wording we used around integrated third-party directories. These changes are meant to:

  • distinguish between authentication settings that are used with local accounts (native to UiPath) and the ones that are used with directory accounts (originating from a third-party directory);
  • clarify the impact of configuring a third-party directory integration at host level, in which case it is only enabling SSO for all users, as opposed to configuring it at organization level, in which case the integration allows for extended capabilities such as directory search from within UiPath and auto-provisioning of accounts.

 

EDR protection status

The status of the integration between UiPath Robots and the CrowdStrike Falcon endpoint protection platform is now visible in Orchestrator, in a new column, named EDR Protection.
This column is available in the Machines and the Installed Versions & Logs pages at the tenant level, and it displays the integration status for each machine that a robot is connected to. The available statuses are:

  • Enabled - CrowdStrike protection is enabled.
  • N/A - CrowdStrike protection is not enabled or the status is not known.
  • Mixed (only in the Machines page, and only for machine templates) - CrowdStrike protection is only enabled on some host machines, and disabled on others, or the status is not available.

EDR protection status

Automation settings for user accounts revamp

We revamped the administrative area where you would configure automation capabilities for user accounts. The Robot Setup tab where admins previously enabled/disabled attended and unattended capabilities for a user has been split into:

  • The Personal Automation Setup tab, previously under the umbrella of attended automation, and controlled via the Attended Robot toggle.
  • The Unattended Setup tab which, other than having its own tab, didn't undergo significant changes.

Before

12341234

After

15831583

We are moving away from the term "attended" and are switching to an all-encompassing "personal automation" when it comes to user setup. Personal automation means your users are able to run processes remotely, under their own identity, in addition to locally on their machines (attended). Read on for more details about personal remote automation.

Personal remote automations

Unattended automations typically run on robot accounts, the UiPath equivalent of Windows service accounts. An administrator can enable an unattended robot to impersonate a user account; that is, act on behalf of that user identity, to allow the robot to run automations with the same privileges as that user.

Running unattended automations on user accounts is typically needed by RPA developers debugging their automation projects, as well as citizen developers and business users running automations under their own identity, but on server-side resources instead of their local machines.

Until now, running an automation as yourself on remote machines instead of your local machine required an admin to first configure your account to allow impersonation by an unattended robot by enabling the Unattended robot toggle.

Starting today, both developers and business users can run background automation under their own identity on remote machines only via personal automation capabilities, that is without requiring an unattended robot configured for their user accounts. We call these personal remote automations, since they run under the user's identity and on server-side resources to which the user has no direct access.

12341234

Starting a job manually from Orchestrator to run as yourself

13371337

Configuring a time trigger in Orchestrator to run as yourself

Known issue: When a Named User license is removed from a user, their personal robot is removed, and any trigger running under that user's identity (set to Run as myself) becomes invalid. Reallocating a license to the user does not revalidate the trigger. You need to delete the broken trigger, and create a new one.

Allocating host machines for personal remote automation is done using machine templates. An Orchestrator administrator configures and sets up the remote infrastructure for users by adding a machine template object to the users' folders, just as they would do in a typical unattended setup. It can be a machine template, or a Cloud Robot - Serverless machine if you are using Orchestrator in Automation Suite.

You can still enable unattended automation on user accounts in addition to personal remote automation. The differences between the two being that:

  • You can only run personal remote automations if the underlying process is a background process; it does not work for processes that require user interaction. To execute processes that require user interaction, enabling and configuring an unattended robot is still required.
  • In personal remote automation, the user's identity is used for executing that single process, so it helps achieve granular control in terms of when and how the user's identity is used. Unattended robots, on the other hand, act as the user they impersonate to execute processes across all folders the user has access to.

Admins: Learn how to enable your users to run personal automations.
Developers and business users: Learn how to run personal remote automation.

Granular job priorities

Job priority can now be set at a more granular level, with a total of ten types of priority to choose from. These are available at the process, job, and trigger level, and allow you to be very precise when dealing with large numbers of folders, processes, and queues.

Jobs that had one of the previous three priorities are mapped to the new set as follows:

  • Low > Low
  • Normal > Medium
  • High > High

Additionally, job priority can be set from the API, as a numeric value between 1 and 100, by using the new SpecificPriorityValue parameter available in the following endpoints:

  • POST /odata /Jobs /UiPath.Server.Configuration.OData.StartJobs
  • POST/odata /ProcessSchedules
  • PUT/odata /ProcessSchedules({key})

New credential store

You can now choose from a wider selection of plugins to store your Orchestrator credentials as we have added support for Thycotic Secret Server.

For details about the newly supported credential store, see Thycotic Secret Server integration.

From cookie to token-based authentication

We migrated from cookie-based authentication to token-based authentication. Following this change, user login attempts are no longer saved in Orchestrator. As a result, the /odata/UserLoginAttempts({key}) endpoint and corresponding Login Attempts section on the My Profile page in Orchestrator have been deprecated and only return login attempts made prior to this change (i.e. login attempts with cookies). From now on, login attempts made using access tokens can be accessed solely via Audit Logs.
Token-based authentication changes the way Orchestrator computes the last login time of a user. From now on, the last login time is computed once per hour for a user actively using Orchestrator.
Say a user is using Orchestrator between 14:10 and 15:00. Having been authenticated at 14:10 means 14:10 is displayed as their last login time until the next hourly check. Using Orchestrator until 16:00 means 15:10 displayed as the user's last login time.

Here are the places in the Orchestrator UI where you can see the changes in how we compute the last login time for your users:

  • Assign roles page (Tenant > Manage access)
  • Personal workspaces page (Tenant > Folders > Personal workspaces)

Several configuration parameters have been removed as a result of migrating from cookie-based authentication to token-based authentication:

  • the Auth.Cookie.Expire and Auth.Cookie.ValidateInterval parameters from the UiPath.Orchestrator.dll.config file
  • the cookie client support. That is, we have removed the OpenId Connect URLs for authentication calls, and the corresponding parameters from the Uipath.Orchestrator.dll.config file.

Authorizing API calls in Swagger

You can also authorize API calls in the Swagger UI using OAuth2.
See how to obtain an access token, send requests or revoke access.

Personal Workspace APIs

Personal workspace endpoints have been exposed and are now available for you to use them in your API requests:

  • GET /odata/PersonalWorkspaces - retrieves personal workspaces;
  • POST /odata/PersonalWorkspaces/StartExploring - starts an exploratory session of a personal workspace on the current user;
  • POST /odata/PersonalWorkspaces({key})/UiPath.Server.Configuration.OData.StopExploring - ends an exploratory session of a personal workspace for the current user;
  • POST /odata/PersonalWorkspaces({key})/UiPath.Server.Configuration.OData.ConvertToFolder - converts a personal workspace into a folder;
  • GET /odata/PersonalWorkspaces/UiPath.Server.Configuration.OData.GetPersonalWorkspace - retrieves details about the personal workspace of the current user.

Converting a personal workspace with a certain ID into a modern folder via API.

Orchestrator read-only replica

Orchestrator can benefit from a read-only replica of its operational database, which allows data to be read and loaded faster, thus ensuring the performance of your system.
This option must be configured while installing the SQL server, and can be enabled using the Features.Queues.QueryUseReadOnlyReplica and Monitoring.UseReadOnlyReplica parameters.

Installation and upgrade news

Support for Windows Server 2022

Windows Server 2022 is now supported in Orchestrator.

Support for Elasticsearch 8.x

Standalone Orchestrator now supports Elasticsearch 8.x, with the documentType parameter set to an empty string in NLog targets.

The same is true for Automation Suite Orchestrator, but only when robot logs are set up through advanced configuration.

In order for Elasticsearch versions 8.0 and higher to work properly, the documentType parameter is now empty, and a new parameter, enableApiVersioningHeader, has been added, which must be set to true.

New Publish-Orchestrator.ps1 parameter

A new optional parameter, -OrchestratorRootUrl, has been added to the Publish-Orchestrator.ps1 Orchestrator script, which controls the root URL used for alert links in the daily alerts summary email. This parameter should be used if you are hosting Orchestrator behind a reverse proxy with a more complex route (e.g. https://my.custom.domain/automation). If this is not the case, the links in the daily alert summary email will point to either the first custom domain of your Orchestrator app service, or to the default https://*.azurewebsites.net if no custom domain is configured.

Enforced environment value for ASP.NET Core

The web.config file of Identity Server now contains the ASPNETCORE_ENVIRONMENT variable, with an enforced value of Production. You cannot override this value.

Platform configuration tool

We improved the platform configuration tool to convert uppercase strings to lowercase. This helps avoid spelling errors that might cause installation failures.

New scheduling system

The Quartz.Net framework used by Orchestrator for scheduling processes was replaced with a new scheduling system, which uses an internal library tailored for performance. As such, it allows for better and faster trigger scheduling, and higher throughput with much shorter delays.
Known issue: When you upgrade from 2019.10 to 2022.10, pending jobs created by time triggers configured with the Stop job after option are no longer stopped automatically. You therefore need to stop or kill them manually.
This does not occur for any pending jobs created after the upgrade.

Upgraded NLog targets

When you upgrade Orchestrator, existing NLog targets of types database, monitoring, and insightsRobotLogs are deleted and recreated, as follows:

  • Upon upgrade to 2022.4, NLog database targets are reverted to their default values.
  • Upon upgrade to 2022.10, NLog database targets are deleted and replaced with new and improved targets.

Storing all tenants in a single external bucket

Administrators can now restrict Orchestrator from accessing your external storage, by only allowing it to update the buckets you created. Additionally, you can store all tenants in a single bucket, thus escaping the limitation some external providers impose on the number of buckets per account. Use the new config parameters in the connection string of your storage provider to enable this functionality.  If you have several tenants, Orchestrator creates a folder inside the specified bucket and appends the tenant's ID to the Orchestrator prefix you set. By default, the prefix is orchestrator.
For Automation Suite, use a prefix to differentiate between service storages. For example, all Data Service files can be stored in a bucket under the data-service prefix.

Digitally signed scripts

  • Orchestrator PowerShell scripts used for installation and upgrade are now digitally signed.
  • Identity Server PowerShell scripts used for installation and upgrade are now digitally signed.

Improvements


Alerts revamp

Separate alerts for attended and unattended robots
The alerting mechanism now delivers separate alerts for Attended and Unattended robots. Therefore, unattended robots alerts are prefixed with “Unattended”. Likewise, attended robots alerts are prefixed with “Attended”. In addition, the Fatal and Error severity levels for attended robots alerts are reduced to Info.

The following table summarizes the changes:

Previous alertNew alert - AttendedNew alert - Unattended
Robot is disconnected.
Severity level: Fatal
Attended robot is disconnected.
Severity level: Info
Unattended robot is disconnected.
Severity level: Fatal
Robot is unresponsive.
Severity level: Error
Attended robot is unresponsive.
Severity level: Info
Unattended robot is unresponsive.
Severity level: Fatal
Robot is available.
Severity level: Info
NAUnattended robot is available.
Severity level: Info

New email templates

Our alert emails have a fresh look. The Error summary and the Alert summary emails display information in a more intuitive and comprehensive way than they used to.
Subscribe to the desired alerts and see the new emails in your inbox.

Getting to the alert root cause

Now each alert in the Error summary email provides a link that redirects you the associated component page, filtered to display the root cause so you can remediate it.
To provide the same redirects to the root cause, the See alert source button was added to the Alerts page .
Check out our documentation about Alerts.

Granular subscriptions

Filter the event types you want to receive alerts about. The enhanced Alert preferences page gives you the possibility to select the specific event for every component that allows subscriptions.
Learn how in our documentation.

Alert audience

As an organization administrator, you can choose the events and folders your users receive alerts about:

  • Make specific alert selections in a user's alert preferences profile.
  • Restrict the folders your users receive alerts from, without removing their access in the folder.
    Find out how you can configure your user’ subscriptions.

New alerts for jobs

  • Jobs stuck in a pending or resumed state
    We know that having a job stuck in the pending or resumed state may cause some frustration. That's why we added a new toggle that activates alerts for jobs stuck in pending or resumed for a duration of your choice. Turn the toggle on to receive "Error" alerts every time the job exceeds the selected duration in the pending or resumed state, and take further actions to unblock it.
    The new toggle option is available on Create/Edit Trigger and Start Job pages.

  • Jobs have not finished running
    Seeing the running status of a job may induce enthusiasm. But seeing the same status for more than the expected period may rise some questions. Don't worry, we got you covered when these things happen. A new alert will notify you of jobs that have been running for more than the configured duration. Just turn on the Generate an alert if the job started and has not completed toggle on Create/Edit Trigger and Start Job pages.

Studio triggers in Orchestrator

Connected triggers in personal workspaces

Orchestrator accommodates trigger-based automations from Studio via several personal workspace adjustments:

  • Publishing a project to Orchestrator makes the package available in your personal workspace. To make you execution-ready in a jiffy, Orchestrator automatically creates a process in the workspace. The process has the same name as the Studio project.
  • Republishing the automation project to Orchestrator overwrites the queue trigger properties set by the activity.
    For example, if you manually edit a trigger in Orchestrator and set an alert option, this setting will be preserved at republishing. However, a time trigger’s Cron expression or a queue trigger’s SLA prediction will be overwritten by the value present in the workflow.

Managing connected triggers requirements in your processes

Starting today, Orchestrator provides you with the means to configure the queue triggers and time triggers in your processes via the Package Requirements tab. This allows you, for example, to create missing queue and time triggers.
Find out more in our documentation.

CyberArk CCP

  • Orchestrator now supports .cer certificates as Server Root CA certificates.
  • Certificate configuration errors now contain more details about the cause of the problem.
  • Explicit error codes are now logged by Orchestrator for unsuccessful CyberArk CCP requests.

Database maintenance scripts

We have made improvements to the scripts helping you keep your Orchestrator database clutter-free. As a result, you can easily clean up queue items, jobs, AuditLogs, and AuditLogEntities.
For details, see Maintenance considerations.

User management

  • A new confirmation window is now displayed when deleting users. The window lists the users with busy robots and informs you that deleting them also deletes the ongoing jobs. Similarly, when editing a user with busy robot, the confirmation window informs you the jobs
  • You can now remove or edit a user that has a busy robot associated to it. This is done in the Manage Access page, at the tenant level.
    Before you can remove or edit, you are informed that any running jobs might fail (when editing) or will be deleted (when removing), and are asked to choose whether you want to proceed with the operation or cancel it.
  • Previously, when a user attempted to assign roles that included permissions that they themselves did not have, we would display a warning indicating that the operation might require higher privileges. Now, we no longer allow assigning roles in such a case, unless you have the Roles - Edit or Roles - Create permissions. When trying to assign roles with permissions you don't have, the error message points out the roles that include the extra permissions and you must remove the indicated roles to proceed with role assignment.

Asset management

  • The text of the 1002 error message, "Get Asset Value: Could not find an asset with this name", has been changed to "Get Asset Value: Could not find the asset '{0}'", which makes it easier to identify and troubleshoot missing assets.
  • The maximum password size for assets of the type Credential has been increased from 256 to 25,000 characters.

External apps

  • External apps can now authenticate using the client credentials flow.
  • The external application ID now shows up in the audit grid of your queue item events.

SAML POST binding

When configuring the SAML integration for your organization, we now also support the HTTP post option for the SAML binding type setting.
Depending on how you set up the identity provider, you can now select HTTP redirect to use URL parameters, or HTTP post to use an HTML form with base64-encoded content instead.

Linking resources

  • When you use the Link from other folders option to link an object that is already linked to several other folders, the names of these original folders are now displayed in the Folder column of the Folder validation page. Previously, the number of folders was displayed instead.
  • The Select Queue and Select Asset pages displayed when trying to link queues/assets from other folders now contain the Labels and Properties columns, with corresponding filters, allowing you to easily identify each item.

Usability

Folder contextual menu

Each individual folder now has its own contextual menu. It offers an at-a-glance view of all folder-scoped actions, aggregating the options that were previously included in the Quick Actions and Folder Selection menus.

What is more, the selected folder's name is now displayed in the breadcrumbs, and clicking it takes you back to the Home tab.

Queue improvements

  • We improved queue charts by clarifying that the Business Exceptions, Application Exceptions, and Successful Transactions cards display the corresponding average execution time in seconds.
  • You can now see the Output and Analytics data of a transaction whose status was set to failed via the Set transaction status activity.

New Help button in Orchestrator

  • Clicking the Help button in Orchestrator now provides shortcuts to various help options, such as product-specific content - documentation, release notes, YouTube tutorials - or redirects to our support and resource centers.
  • We also renamed the feedback form link from Submit your idea to Provide product feedback.

Robot Settings naming changes

The following changes have been made to the Robot Settings page:

  • The Resolution settings section has been renamed to Session settings.
  • The Login To Console option has been moved from the Logging settings section to the Session settings section.

Monitoring page layout

The entities available on the Monitoring page are now displayed in a row instead of a drop-down list.

Language and Theme menus

The Language and Theme menus are now available in the Preferences page, which you can access by clicking Preferences in the user menu, on the top-right of any Orchestrator screen. Previously, the two options were included in the user menu itself.

New time columns

We added new time columns on several Orchestrator pages to display the action absolute timestamp, in addition to the relative time: Audit, Alerts, Jobs, Triggers, Logs, Testing. The new time format includes milliseconds, thus ensuring a detailed view.
To see the new columns, you must select them individually on each page, as they are not visible by default.
Note: Absolute timestamps are rendered in the tenant time zone. For triggers, the next run time is rendered in the trigger time zone, which may differ from the tenant time zone.

Search shortcut

You can now search for resources in a tenant by using the following keyboard shortcut, which is available from anywhere within Orchestrator:

  • Ctrl + / on Windows computers
  • Cmd + / on Mac computers

Helpful error message

An explanatory warning message, "Cannot determine ssl binding site name when ssl flags options are set.", is now displayed when Get-ChildItem -Path IIS:\SSLBindings is called from the Platform Configuration Tool.
The reason for this warning is an IIS issue which prevents the site name from being returned upon calling this parameter, no matter which SSL binding flag is selected in the Platform Configuration Tool.
Previously, an inaccurate error message, "No SSL binding is used by UiPath Orchestrator.", was displayed in such cases.

Navigation

The backslash (/) in breadcrumbs has been changed to a chevron (>). This allows you to navigate back to a previous page by clicking the desired level in the breadcrumb.

Encrypted passwords remain secret

Audit log requests do not return the values of credential assets encrypted passwords anymore.

Known issues


  • The Time column value in exported logs is not displayed correctly. The data behind it is accurate, but the format is broken when the log is opened in Excel. To display the time correctly, choose the right format (namely Date) for that column in Excel.
  • A connected queue trigger is displayed as available and configured after you delete the associated queue. The expected behavior is to display the connected trigger as a missing requirement.
  • Attended robots in classic folders continue to generate the Attended robot is available alert, although the alert was removed from the alert subscription list.
  • A connected queue trigger created on the Triggers page won't be recognized by the queue trigger activity in the process. You need to create and edit the corresponding queue triggers only from the Package requirements page, during process creation.
  • Queues that use SLA predictions and originate in other folders cannot be migrated. Even though folder migration succeeds, you must manually recreate the link between your migrated folder and these types of queues.
    Say you have queue Q1 with SLA1 originating in the classic folder C1. You link Q1 in a classic folder C2. Upon migrating both folders, only the migrated folder C1 contains the queue Q1. To ensure processes functionality, link Q1 to the migrated folder C2.

Bug fixes


  • Robots were unable to retrieve their passwords if their secrets were stored in a HashiCorp Vault credential store configured with the ActiveDirectory secrets engine.
  • Exploring packages of workflows with two or more consecutive switch activities resulted in an error.
  • Sorting assets by Name in the Assets page did not work.
  • Editing objects from the global Search page incorrectly required View permissions on Folders or on Subfolders.
  • When you deleted a process that was associated to a trigger, that particular trigger was still displayed on the Search page, instead of being deleted along with the process. If you tried to edit the trigger on the Search page, the "ProcessSchedule does not exist (#1002)" error was returned.
  • An explanatory warning message, Cannot determine ssl binding site name when ssl flags options are set., is now displayed when Get-ChildItem -Path IIS:\SSLBindings is called from the Platform Configuration Tool.
    The reason for this warning is an IIS issue which prevents the site name from being returned upon calling this parameter, no matter which SSL binding flag is selected in the Platform Configuration Tool.
    Previously, an inaccurate error message, "No SSL binding is used by UiPath Orchestrator.", was displayed in such cases.
  • When users who did not have the organization administrator role navigated to the Management portal URL, they were navigated to an administrator-only page (https://<server>/identity/management/users) and saw a message stating that the URL does not exist, which was confusing. Now, the message This URL is only available to admins is displayed when they navigate to an admin-only page, and they are navigated to a non-administrator page.
  • We fixed a spelling error detected in the UiPath.Orchestrator.dll.config file.
  • We fixed a deadlock that was preventing new jobs from being created in classic folders, while using specific robots.
  • Orchestrator cookie sizes sometimes caused exceptions and raised security concerns. This is no longer an issue, since Orchestrator moved from cookie-based authentication to token-based authentication.
  • The audit entry that was generated when creating a user was missing information.
  • An error was displayed when you tried to run an automation from a subfolder, with a machine template that was propagated to that subfolder from the parent folder. The operation only worked when assigning the machine template directly to the desired subfolder. Now, you can run automations with both directly assigned and propagated machine templates.
  • Accessing your profile preferences redirected you to an error page.

Deprecation timeline

We recommend that you regularly check the deprecation timeline for any updates regarding features that will be deprecated and removed.

What do the labels mean?

Click to learn more...

This version of Orchestrator is available in two deployment models:

  • standalone Orchestrator
  • Orchestrator service which is part of Automation Suite

The product is similar enough across deployment types to share the same documentation.
But differences do exist. When certain information applies to only one of the deployments, we use the following labels:

  • - only applies to standalone Orchestrator and does not apply to Automation Suite Orchestrator.
  • - only applies to Automation Suite Orchestrator and does not apply to standalone Orchestrator.

Whenever there is no label, the information applies to both deployment types.

Updated 20 days ago


2022.10


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.